Authorities in the U.S. and Germany have raided Internet Service Providers in hopes of tracking down the hackers who launched distributed denial of service (DDoS) attacks against Web sites such as Visa.com, PayPal.com, and Mastercard.com earlier this month.

In documents posted Wednesday to the Smoking Gun Web site, the U.S. Federal Bureau of Investigation describes the complex path its investigation has taken as it has searched for the computers that served as a central meeting point for the attacks.

After Germany's Federal Criminal Police raided service provider Host Europe, they linked one of he IRC servers to Dallas's Tailor Made Services, the documents state. Two hard drives were seized from Dallas's Tailor Made Services on Dec. 16, the Smoking Gun reports. Another IRC server has been traced to Fremont, California's Hurricane Electric.

The early-December attacks were part of a grassroots campaign called "Operation Payback," which tried to put pressure on companies that had severed relations with WikiLeaks after it began publishing classified U.S. Department of State cables. Operation Payback is the work of a group called Anonymous, which has launched similar attacks against the Church of Scientology and the Motion Picture Association of America in the past.

The attacks were strong, but minimally disruptive. They knocked Web sites offline, but they didn't touch any of the target's back-end transaction processing systems. They also garnered a lot of publicity for Anonymous.

Ringleaders urged volunteers to download software that flooded Web sites with useless Internet traffic, ultimately causing may of them to come grinding to a stop. Other victims included the Web sites of WikiLeaks critic Sarah Palin and the Swedish Prosecutor's Office, which is pursuing sex charges against WikiLeaks founder Julian Assange.

The FBI investigation centers on the IRC servers, used to coordinate the attacks. The FBI initiated the investigation on Dec. 9 after PayPal provided them with the Internet Protocol addresses of eight IRC servers used in by the group.

The bug in Microsoft Word 2002, 2003, 2007 and 2010 was patched Nov. 9 as part of Microsoft's monthly security update.

Word 2008 and 2011 for the Mac have also been patched, but Microsoft has not yet issued a fix for the same flaw in the older Word 2004. The circulating attacks affect only Windows versions of the suite, however.

According to the Microsoft Malware Protection Center (MMPC), the group that investigates attack code and issues signature updates for the company's antivirus software, the first in-the-wild exploits were detected last week.

When Microsoft shipped the Word patch last month, it rated the bug as "1" on its exploitability index, meaning it believed a working attack would pop up within 30 days.

The attack uses a malicious RTF (Rich Text Format) file to generate a stack overflow in Word on Windows, said MMPC researcher Rodel Finones. Following a successful exploit, the attack code downloads and runs a Trojan horse on the compromised computer.

Finones said that the code "reliably exploits this [Word] vulnerability."

Last month, Microsoft rated the RTF vulnerability as "critical" in Word 2007 and 2010, but as "important" in all other affected versions.

At the time, outside researchers had put their bets on the bug as a hacker choice because users running Office 2007 or 2010 could be attacked if all they did was preview a specially-crafted RTF document in the Outlook e-mail client.

"Once a [malformed] message hits the Outlook preview pane, remote code can be executed. You should patch this right away," Jason Miller, the data and security team manager for Shavlik Technologies, said on the day Microsoft released the patch.

Finones urged users who have not yet installed the November patch to do so as soon as possible.

More information about the vulnerability can be found in the MS10-087 security bulletin.

The MS10-087 update can be downloaded and installed using Microsoft Update and Windows Server Update Services (WSUS).

With the Federal Bureau of Investigations (FBI) treating successful cyber attacks by "Operation Payback" as criminal offenses, a new level of ambiguity is being introduced into the enforcement of cyber crime laws.

The FBI was treating efforts by "Anonymous" and "4chan" as an "unauthorized and knowing transmission of code or commands resulting in intentional damage to a protected computer system," according to a search warrant affidavit published online Thursday.

Not all distributed denial of service (DDoS) efforts are a crime. This is especially true when systems within the networks staging the attack are placed there voluntarily by their users, with thousands of willing individuals simply flooding a server by asking it to do what it's designed for: loading pages.

Botnets of this nature have been compared to cyber "sit-ins": a computer-age echo of civil rights-era protests.

However, a newly discovered software exploit in peer-to-peer file sharing networks could allow a single individual, instead of many, the ability to bring down massive Internet operations by marshaling hundreds of thousands of other systems through "BitTorrent" trickery.

On "BitTorrent" networks, swarms of users all share portions of a single file, trading tiny pieces between their computers until each individual client has the complete download.

Millions of people engage in these networks every day, sharing everything from the perfectly legal to the legally ambiguous. Massive quantities of copyrighted material trade hands between users of "BitTorrent" networks regularly, but not much can be done to shut them down since many torrent files do not require a centralized tracker or host.

It is within these tracker-less torrent files that a major attack can be staged, according to a recent chat held by the Chaos Communications Congress, an annual conference of hackers now in its 27th year.

With a tracker-less torrent and a single "malicious node," "anyone with a moderate bandwidth connection can induce DDoS attacks with the BitTorrent cloud," the lecture page summarized.

A Chaos Congress presenter under the name "Astro" demonstrated how that entire network's bandwidth can quickly become marshaled to attack a single domain.

"For example, one could tell tens of thousands of users that an HD version of Inception is available at an address that really is the web server of a corporation," technology publication Gigaom noted. "All of these users would immediately try to download the file under that address, bombarding the server with requests and possibly taking it down in the process."

And it's not just a single deceptive torrent file that can lead such an attack: according to TorrentFreak, this new method can utilize existing torrents already sharing information by hundreds of thousands of people.

Double-edged sword

The exploit would appear to be a new innovation in the formation of what are known as "botnets," or computers with malicious software that are at least partially under the control of a remote operator, in many cases a cyber criminal who uses the distributed computer power for nefarious purposes.

The largest botnet on the Internet was said to be "Rustock," according to an intelligence report released earlier this month by online security firm Symantec Hosted Services. "Rustock" was responsible for over 44 billion spam emails every day, they said.

Utilization of such technology to attack the web operations of companies like MasterCard Worldwide or PayPal -- both of which, among others, were brought down earlier this month by "Operation Payback" for their refusal to do business with secrets outlet WikiLeaks -- would likely be classified a serious crime.

The FBI has already raided a Dallas-based hosting company and copied the contents of two hard drives in connections with attacks on PayPal, and a 16-year-old Dutch teen was arrested for allegedly running a chat room connected to "Anonymous." It is reasonable to expect more raids soon.

Given the tactics of "Anonymous," answering each official escalation against WikiLeaks with increasingly larger attacks, it may be only a matter of time before torrents are used to attack a major bank or even the US government.

While the latest round of DDoS attacks on high-profile corporate entities is certainly notable for their sporadic success at bringing major operations down for brief periods, the latest development in DDoS may pose an even greater problem for small organizations dealing with human rights or issues of political controversy.

Amid the rise of the Internet's "hypergiants" -- the massive Internet service providers (ISPs) and network operators at the core of Earth's global communications platform -- smaller media organizations and human rights groups have found themselves on the network's outer fringes, and frequently the targets of devastating cyber-attacks.

Network security know-how is often unavailable to these organizations due to the gravity of better paying jobs at major firms. That's created an unbalance on the Internet, with just 30 firms soaking up over 30 percent of the Internet's total bandwidth, according to a recent Harvard University study (PDF) carried out by the Berkman Center for Internet & Society.

Researchers found that between August 2009 and September 2010, a collection of just 280 sites run by human rights organizations were hit with 140 different distributed DDoS attacks. There were likely many others that went unnoticed.

The torrent exploit would appear to be a double-edged sword for so-called "hacktivists" who might view it as a new weapon for "Operation Payback." While this may mean the next wave of DDoS against the opponents of WikiLeaks will potentially be much larger than the DDoS attacks of December 2010, the same tactics could also be used against groups that promote valuable human rights causes.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Starting with January 1st, 2011, Indian banks will require an additional security code in order to authorise phone banking transactions, according to regulatory guidelines issued by the Reserve Bank of India (RBI).

Known as one-time passwords (OTP), these codes are part of what is known as two-factor authentication systems and provide an extra layer of security.The RBI directive is mandatory for all banks that offer phone banking services, including those based on Interactive Voice Response (IVR) systems.

IVR refers to technology which offers customers to perform actions via their phone's keypad and get confirmation through pre-recorded audio messages.

As their name implies, OTPs can only be used once, meaning that a new code must be generated for each separate transaction.

This can be done by the bank and sent to the customer's mobile phone number or via an electronic device called a hardware token, which is supplied to the client in advance.

In both cases the customer needs to make a visit at the bank first, to either pick up their OTP generator or update their mobile phone number on record.

Then, when a transaction is initiated over the telephone, the bank will ask for the credit card number, expiration date, CVV2 code, mobile number and OTP.

According to the Business Standard, several banks, including Citibank and HDFC Bank, have already notified their customers about the new requirement, while others are currently in the process of doing so.

"Starting January 1, 2011 these (IVR) transactions need to be authenticated with an additional password. This is mandatory according to the RBI guideline," the HDFC Bank notification letter explains.

OTPs have already been introduced for online banking in 2008 and RBI regulations require signature verification and identity verification for card-present transactions.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Sonic.net today announced it has been selected to operate and support the trial fiber-to-the-home network Google is building at Stanford University. This experimental project will test new fiber construction and operation methods, while delivering full gigabit speeds to approximately 850 faculty and staff owned homes on campus.

Sonic.net will manage operation of the network, provide customer service and support and perform on-site installation and repair. Sonic.net is Northern California’s leading independent Internet service provider.

The Stanford trial network is completely separate from the community selection process for Google’s Fiber for Communities project, which is still ongoing. Google’s ultimate goal is to build a fiber-to-the-home network that reaches at least 50,000 and potentially up to 500,000 people, and it plans to announce its selected community or communities by the end of the year.

Sonic.net currently operates California’s largest open Internet access network, offering services today primarily via next-generation copper. The Santa Rosa-based company previously announced its own plans to deliver a fiber-to-the-home network in Sebastopol, Calif., and looks forward to working with Google on the innovative gigabit network being planned for the Stanford community. Sonic.net’s open network provides services to seventy other Internet service providers delivering broadband services across a thirteen state territory.

Construction of the Stanford fiber network will begin in early 2011.

“Sonic.net is an innovative ISP that brings top notch experience to the Google Fiber for Communities project,” said James Kelly, Google Fiber for Communities product manager. “Their open access experience and well regarded customer service team will play a key role as we kick off our beta network at Stanford.”“We are very excited to have the opportunity to work with Google on this project,” said Dane Jasper, CEO & Co-Founder of Sonic.net. “It’s a great fit for our existing capabilities, and will help us develop new skills as we move our own network toward fiber.“

About Sonic.net Inc.

Sonic.net, founded in 1994, provides broadband access to consumers and wholesale partners in a thirteen state region. Sonic.net’s leading product is “Fusion”, which combines unlimited broadband and unlimited local and long distance home telephone service. Sonic.net adopted a European pricing model for “Fusion,” forgoing the common practice of limiting a customer’s Internet speed based on pricing tiers. For $39.95, every Fusion customer gets the maximum Internet speed possible at their location — up to 20Mbps — plus a traditional phone line with unlimited U.S. calling. For more information, visit www.sonic.net.

About Google Inc.

Google’s innovative search technologies connect millions of people around the world with information every day. Founded in 1998 by Stanford Ph.D. students Larry Page and Sergey Brin, Google today is a top web property in all major global markets. Google’s targeted advertising program provides businesses of all sizes with measurable results, while enhancing the overall web experience for users. Google is headquartered in Silicon Valley with offices throughout the Americas, Europe and Asia. For more information, visit www.google.com.

In China, a trojan has popped up that uses escalated rights to read out information such as the address book in Android cell phones, and sends the information via the internet to remote servers. As the Lookout blog reports, the contaminant called Geinimi is the most refined method of collecting personal data yet, as it not only acts independently, but can also be remotely controlled by a server. Geinimi hides itself by encrypting the data it needs to run and by using an obfuscator for Java byte code.

In addition to the address book, the trojan can also read out the cell phone's position data, device ID (IMEI), SIM card number (IMSI), and a list of the installed apps. It is not yet clear what the developers of Geinimi are ultimately trying to do.

Geinimi comes as an add-on for common apps, most of them games sold in third-party app catalogues. According to the Lookout blog, the following applications are affected: Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball Superstars 2010. The similarly named apps from the official Android Market are reportedly not infected. If you get your apps from obscure sources, you will want to be careful not to give them unlimited rights, which the apps request upon installation; instead contact the vendor to see what rights are actually needed.

At the 27th Chaos Communication Congress (27C3) hacker conference, security researchers demonstrated how open source software on a number of revamped, entry-level cell phones can decrypt and record mobile phone calls in the GSM network. Using a normal laptop and a homemade monitoring device, team leader Karsten Nohl of Berlin's Security Research Labs explained that GSM mobile communications can be decrypted in "around 20 seconds." He said his team was able to record and playback entire conversations in plain text.

Last year, Nohl and his team showed how they managed to crack the A5/1 encryption algorithm used in GSM, in three months using 40 distributed computers. Since then, he says his team has considerably improved the rainbow tables needed for the attack; the tables are once again available from the BitTorrent peer-to-peer network. Nohl says he has also made a lot of progress with the other hardware and software needed for the attack. Furthermore, the scenario for the attack has been redesigned and refined.

Nohl explained that the tapping process is made easier because all of the mobile communications operators exchange information about the cell phone's location via the SS7 network, which does not protect private user information especially well. For instance, special internet services can query the Home Location Register (HLR), a central database for the mobile communications network that connects the directory number to the IMSI and is the starting point for a determination of the cell phone's location. The Temporary Mobile Subscriber Identity (TMSI), which is used as a geographically and temporally limited ID for a subscriber when making a connection, can also apparently be obtained in what Nohl calls an "SMS trick." When an empty or incomplete text message is sent to a cell phone number, you can try to use network feedback to find out whether the cell phone is within a particular base station's reach.

If TMSI allows a cell phone to be precisely addressed, the data can then be collected from voice communication in the cell phone network and subsequently decrypted. If a call is made or a text message sent over GSM, the cell phone to be addressed is first contacted via a signal channel. If the cell phone responds, communication switches to a control channel or another frequency – and only then does encryption begin. Once the crypto process has begun, the actual conversation takes place in a traffic channel. To reduce disturbances, frequencies are regularly changed in a process known as "frequency hopping."

While it used to take devices costing some €35,000 to tap GSM cell phones, Nohl says that in the next few years that price will drop to €5,000 because conventional hardware and such open source components as OpenBSC and OsmocomBB will then be used. He says this hardware and software can already tap and record "a large part of the spectrum." But his team figured that every cell phone should be able to record GSM data. With that goal in mind, they managed to turn a disposable Motorola device for €10 into a powerful telephone tapper.

Nohl’s assistant Sylvain Munaut explained that open source firmware was installed on the telephone, the code used to process signals in the RAM was adjusted, and encrypted data were filtered out. The "sniffer" was able to record comprehensive basic GSM data with a fast USB cable and a filter for the uplinks and downlinks of mobile communications with a base station. At the conference, Munaut demonstrated how a computer controlling four specially crafted cell phones and a current TMSI can address a target telephone and launch encrypted communication by sending a text message. When the first round of communications data is analysed, a session key can be retrieved and used to record the uplink and downlink of a subsequent telephone call with a compromised cell phone. A special audio tool, which has not been made public, is then used to tap the phone.

Nohl called on mobile communications operators and network equipment suppliers to finally implement the straightforward procedures that would improve GSM encryption. For instance, it would be much harder to decrypt communication if random numbers were used as filler material instead of the current standard bytes. Major network operators agreed to such a standard two years ago, but it is apparently still held up "in quality assurance at Nokia or Siemens" and not used in base stations. It would also be harder to determine a phone's location if a national home directory were used to send text messages. Session keys should also not be reused, and frequency hopping should be the norm. However, Nohl no longer supports the Chaos Computer Club’s (CCC) call made last year to completely revamp the encryption algorithm; he says it would take too long and be too expensive. In contrast, he says that a number of design flaws have been improved in UMTS, though the improvements will not really help as long as the latest generation of cell phones still often rely on GSM.

It’s a scene from an as-yet-unmade thriller: Across a country, tens of thousands of cellphones all blink white at the same, and turn themselves off. Calls are lost, phones are rendered useless, and the affected mobile operator is forced to pay a ransom or lose customers.

It hasn’t happened yet. But speaking at the Chaos Computer Club Congress here, German researchers showed how vulnerabilities in some the simplest, but most common phones in the world could conceivably lead to just such a scenario.

Mobile phone security has been a growing concern due to the increasing popularity of smartphones, whose web-browsing and app-running capabilities allow attacks similar to those made against computers. Yet more than 85 percent of the world’s cellphones are feature phones — simple devices with the ability to play MP3s or browse the web, but without the power of the iPhone or Android-based handsets.

Vulnerabilities have been found in this type of phone before, but new open source tools allowing individuals to set up their own private GSM networks have helped researchers find a host of bugs ranging from pesky to serious in many of the world’s most common handsets.

“With the openness in the GSM on the network side, we can look at the closed stuff now,” said Collin Mulliner, a researcher at Berlin’s Technical University. “And if we’re able to look at closed stuff, it usually breaks.”

Mulliner and colleague Nico Golde set up their own GSM network in their lab, allowing them to freely test the effects of sending SMS messages containing a variety of potentially damaging payloads.

The result was bugs, and plenty of them. Popular models of phones from Nokia (the S40 and related models, except for the very newest release), Sony Ericsson (w800 and several related models), LG (LG 320), Samsung (S5230 Star and S3250) Motorola (the RAZR, ROKR, and SVLR L7) and India’s Micromax (X114) all proved susceptible to what researchers termed an “SMS of death.”

The exact results differed for each phone. In the worst cases, including the Nokia and Sony Ericsson, the message would disconnect the phone and force it to reboot, without registering the fact of the message’s receipt — in most cases forcing the operator’s network to continue sending the message and triggering the shutdown cycle again. Fixing the problem required putting the SIM card into a new, unsusceptible phone.

In the other cases, the payload-laden messages forced the phones’ interfaces to shut down, and disconnected the devices from the network. The researchers stressed that other phones likely had similar problems, but their research had focused on these common models.

At first glance, these problems appear to be relatively minor compared to the botnet or trojan susceptibilities of smartphones. But these simple attacks could cause serious problems, potentially for a single well-chosen target, or — more disturbingly — if launched on a large scale.

This could be relatively easily done, Mulliner said. In Germany, for example, mobile-phone-number prefixes are associated with specific operators, allowing large-scale attacks to be mounted on a single operator’s customer base relatively easily. Bulk SMS messages tailored to attack specific common phones by the thousands could be sent using commercial SMS spam services, by activating botnets hiding on mobile phones, or even by an insider at a telephone company.

This kind of large-scale attack potential raises the possibility that a telco itself could be held hostage by an outsider threatening to flood its customers with reboots or even broken phones, researchers said.

Alternately, some police forces around the world rely on cellphones to communicate in areas where their two-way radios function poorly. An attack on a common model used by a police force could disrupt communications at a critical time.

The problem is these problems aren’t easy to fix. Inexpensive “feature phones” rarely if ever receive firmware updates today. But the potential for abuse of bugs that are becoming easier to find means this practice might have to change, the researchers said.

“Manufacturers need to find a way to do firmware updates, and make sure to advertise them,” Mulliner said.

Criminals this week hijacked ChronoPay.com, the domain name for Russia’s largest online payment processor, redirecting hundreds of unsuspecting visitors to a fake ChronoPay page that stole customer financial data.

Reached via phone in Moscow, ChronoPay chief executive Pavel Vrublevsky said the bogus payment page was up for several hours spanning December 25 and 26, during which time the attackers collected roughly 800 credit card numbers from customers visiting the site to make payments for various Russian businesses that rely on ChronoPay for processing.
In the attack, ChronoPay’s domain was transferred to Network Solutions, and its domain name system (DNS) servers were changed to “anotherbeast.com,” a domain registered at Network Solutions on Dec. 19, 2010.
The attackers left a message on the ChronoPay home page – designed to look as if it had been posted by Vrublevsky (see image above) – stating that hackers had stolen the personal data of all ChronoPay users who had shared payment information with the company in 2009 and 2010.
Vrublevsky said the message was faked — that it was “absolutely not true” — and that the damage was limited to the 800 card numbers. He added that the company was still working with its registrar Directnic and with Network Solutions to understand how the attackers managed to hijack the domain.
The hackers also stole and posted online at least nine secret cryptographic keys ChronoPay uses to sign the secure sockets layer (SSL) certificates that encrypt customer transactions at chronopay.com. Vrublevsky said all but one of those certs were issued long ago: One of the certs was issued in September, albeit with an older key, he said.
Loyal readers of this blog may have noticed that I have spent a lot of time digging into the activities and history of ChronoPay and Vrublevsky. In my earliest report on these two, I followed a string of evidence that suggested Vrublevsky also was the founder and curator ofCrutop.nu (NSFW), a Russian adult Webmaster forum that has been linked to all kinds of badness. In that report, I noted that Crutop.nu and Chronopay.com even shared the same Google Analytics code (UA-630887) on their homepages, which further suggested a fundamental connection between the two sites.
At the time, a ChronoPay spokesperson dismissed the connection, yet the code disappeared from the ChronoPay home page shortly after that story ran. But sometime recently — perhaps in the last few days — it was apparently put back. You can see it by loading the home page of each site, right-clicking on the page and selecting “view source” or “view page source,” depending on your browser. Here’s a list of the other sites that also are using this Google Analytics code.

Known to successfully slow down the Iranian nuclear program, the Stuxnet cyber worm is now expected to spawn variations that are predicted to disrupt non-traditional IT targets, from power grids to electronic voting stations.

The Stuxnet cyber worm is a very complex, efficient and stealthy string of code that was first discovered in June 2010. And while it is likely the darling of Western governments for the disruption it unleashed on Iran's embryonic nuclear program, there are emerging concerns that variants of the Stuxnet virus could bring widespread havoc to systems around the world - beyond the traditional information technology targets.

eWeek reported on Tuesday that the Stuxnet worm is thought to have damaged as many as 1,000 Iranian centrifuges, after having already affected more than 62,000 computer systems in Iran alone. The genius of the Stuxnet code was reported in the mild manipulation of the centrifuge engine speeds, prompting the engines to operate just fast enough to break down.

This manipulation was made possible with code commands inserted through common USB thumb drives, a subtle approach that transported the worm from computer operating systems to the electronic operating systems of the centrifuge engines.

The inevitable evolution of the Stuxnet worm is now expected to yield variants that can target multitudes of electronic operating systems - such as those governing national power grids, according to eWeek.

"We need to think above and beyond expected targets, which are not servers or routers," Adam Bosnian, an executive vice president for information security company Cyber-Ark, told eWeek.

According to a August 2010 Symantec study on the impact of the Stuxnet worm, the malware code has hit 62,867 computers in Iran; 13,336 in Indonesia; 6,552 in India; 2,913 in the United States; 2,436 in Australia; 1,038 in the United Kingdom; 1,013 in Malaysia; and 993 in Pakistan.

The Thai Netizen Network has issued a statement calling for a review of Thai cybercrime laws in light of curbs on free speech and has issued a book for netizens to help them safeguard their privacy and circumvent censorship at the same time.

Supinya Klangnarong, co-ordinator of the Thai Netizen Network, said that the biggest problem was article 15 and 14, which is ambivalent, too encompassing and overlaps with criminal law.

Over the years, articles 14 and 15 have been used to silence political dissent, she said.

The case of Prachathai webmaster Chiranuch Premchaiporn was cited as an example of the arbitrary nature of the laws. She was arrested for leaving comments up on the site for 20 days. That number is not in any law.

The problem is with the role of the intermediary - that of ISPs (Internet service providers), search engines or blog hosts. Under current law, they are treated as if they were editors. That is simply impractical without bringing the Internet in Thailand to a stop.

That said, as bad as the computer misuse act is, the government has not even bothered to use the computer misuse act and has shut down many websites under the state of emergency that has no recourse for appeal.

Sarinee Achavanuntakul said that that the computer misuse act is being used for purposes other than it was envisioned for. The nature of the Internet means that users are both consumers and media. Laws must evolve over time.

She warned that the websites who are for the current government and are silent might be shut down under the law with the next government and urged netizens to rise up.

The computer misuse act does not differentiate between speech on the Internet from real speech or actions.

The Thai Netizen Network also has issued a handbook for citizen journalists.

A citizen reporter is anyone who communicates, blogs or Tweets in a way that is not private.

The Thai Netizen Network handbook explains all the tools such as blogs, Twitter, Facebook (in Thai). There are recommendations on the tools, how to be followed and how to distribute information, and technical on how to circumvent censorship.

Facts need to be differentiated (with links) from opinions. Citizen journalism is two-way communication so people can respond.

Detectives from London’s Metropolitan Police Service’s cyber crime unit have in the past year shut down 1,800 bogus websites, which were either fraudulent or advertising counterfeit goods, ranging from tickets to Premier League soccer games to Ugg boots and jewelry from Tiffany & Co.

The preventative action was carried out in partnership with Nominet–the public body for U.K. domain name registrations–and involved a boosted effort around the holidays, a time when there is traditionally a spike in this type of crime as fraudsters take advantage of the increased number of online consumers.

“The removal of these websites will have prevented numerous victims from falling foul to this type of offense,” said Detective Inspector Paul Hoare of the Police Central e-Crime Unit in a statement. “Good advice for online shoppers can be found at the Consumer Direct and Get Safe Online websites but as always, are advice is that as a general rule, if something looks like it is too good to be true, it probably is.”

The attack doesn’t quite make a surfer’s activity an open book, but offers the ability for someone on the same local network — a Wi-Fi network provider, or an ISP working at law-enforcement (or a regime’s) request, for example — to gain a potentially good idea of sites an anonymous surfer is viewing.

“Developers have to be aware of this kind of attack, and develop countermeasures,” said Dominik Herrmann, a Regensburg Ph.D student studying profiling and fingerprinting attacks. “But that proves to be very difficult.”

The research, performed by a variety of collaborators in Germany working on anonymity measures, represents a warning for privacy-conscious users wary of spying eyes, whether behind net-unfriendly borders or simply corporate firewalls.

Tor is essentially an online mask, rather than a tool that hides the fact or content of communication itself. The project’s developers are addressing the problem of traffic analysis — essentially the threat that an attacker or observer might be able to tease out a person’s identity, location, profession, social network or other information about the message content by analyzing a message’s unencrypted headers.

To hide this information, the Tor system routes messages around a winding path of volunteer servers across the net, with each relay point knowing only the address of the previous and next step in the pathway.

Once this circuit has been established, neither an eavesdropper nor a compromised relay will theoretically have the ability to determine both the source and destination of a given pieces of communication. According to the Tor project’s latest metrics, the network has drawn between 100,000 and 300,000 users a day over the last several months.

Herrmann and his fellow researchers say there’s a partial flaw in this arrangement, however. A potential eavesdropper on the end user’s own network still has the ability to analyze the patterns of data being returned, and in many cases will be able to develop a reasonable guess about the source of the communication.

An attacker — perhaps an ISP instructed by law enforcement or a government to engage in such surveillance — would first have to develop a list of potential sites that the target might be visiting, or that it was interested in monitoring. It would then run the Tor system itself, testing the way these sites appeared when accessed through Tor, developing a database of “fingerprints” associated with the sites of interest.

Once the target of the surveillance went online, the eavesdropper would capture the packet stream as it crossed the local network, and compare the source data with its fingerprint database using pattern-recognition software. Any match would be only statistical, giving somewhere between 55 percent and 60 percent certainty, Herrmann said — not enough to provide hard evidence in court, but likely more certainty than many people seeking privacy might be comfortable with.

Different online destinations will carry different susceptibility to fingerprinting, of course. Unusual sites, with characteristics such as very heavy or large graphic use, can be more easily identified, Herrmann said. By the same token, the easiest way for a website to fool such an eavesdropper would be to make its site look as closely as possible like another popular site — mimicking the look of the Google site, for example, one of the most commonly accessed pages on the web.

Users can guard against this type of fingerprint-based eavesdropping relatively easily, Herrmann noted. Downloading or requesting more than one site at a time through the network will muddy the pattern enough that certainty will be very difficult for the eavesdropper to establish.

The research many not dissuade many from using Tor, which remains one of the most promising approaches for individuals seeking to hide aspects of their identity or online activity. But it may well make them work harder.

In its 2011 IT security predictions, Panda Security is predicting that a further rising tide of malware, along with an online cyberwar plus cyberprotests, will be the order of the day as the year progresses.

According to Luis Corrons, Panda's technical director, during 2010 we have seen a significant growth in the amount of malware, a constant theme over the last few years.

"This year, more than 20 million new strains have been created, more than in 2009. At present, Panda's collective intelligence database stores a total of over 60 million classified threats. The actual rate of growth year-on-year however, appears to have peaked: some years ago it was over 100%. In 2010 it was 50%. We will have to wait and see what happens in 2011", he said in a security blog.

Corrons added that, also during 2010, with Stuxnet and the WikiLeaks cables suggesting the involvement of the Chinese government in the cyberattacks on Google and other targets, a turning point in the history of these conflicts has occured.

In cyberwars, he says, as with other real-world conflicts today, there are no ranks of uniformed troops making it easy to distinguish between one side and another.

"This is like guerrilla warfare, where it is impossible to discern who is launching the attack or from where. The only thing it is possible to ascertain is the objective", he explained.

Corrons argues that, in the case of Stuxnet, it was clearly an attempt to interfere with processes in nuclear plants, and specifically, with uranium centrifuges.

Attacks such as these, he says, albeit more or less sophisticated, are still ongoing, and will no doubt increase during 2011, although many of them will go unnoticed by the general public.

And so on to cyberprotests which were, he says, the major new issue in 2010. Cyberprotests – or hacktivism – he adds, are all the rage. This new movement was initiated by the Anonymous group and Operation Payback, targeting firstly organisations trying to close the net on Internet piracy, and later in support of Julian Assange, editor-in-chief of WikiLeaks.

Even users with limited technical know-how can join in the distributed denial of service attacks (DDoS) or spam campaigns, he noted.

"Despite hasty attempts in many countries to pass legislation to counter this type of activity, effectively by criminalising it, we believe that in 2011 there will be yet more cyber-protests, organised by this group or others that will begin to emerge", he said.

"The internet is increasingly important in our lives and is a channel for expression that offers anonymity and freedom, at least at the moment, so we will no doubt see more examples of this kind of civil protest", he added.

Other areas of concern for 2011, Corrons went on say, will include security problems involving social engineering, as well as Windows 7 influencing malware development.

"As we mentioned last year, it will take at least two years before we start to see the proliferation of threats designed specifically for Windows 7. In 2010 we have begun to see a shift in this direction, and we imagine that in 2011 we will continue to see new cases of malware targeting users of this new operating system", he said.

There will also be security problems surrounding cellular phones, as they make the transition to smartphones, he says, adding that his prediction for 2011 is the number of threats for Android will increase considerably throughout the year, as the platform becomes the number one target for cyber-crooks.

The overall picture with IT security, he notes, is not improving and whilst we have seen several hacker arrests in 2010, they have been sadly insufficient when we consider the scale of what we are fighting against.

"Profits from this black market amount to thousands of millions of dollars, and many criminals operate with impunity thanks to the anonymity of the Internet and numerous legal loopholes", he said.

"The economic climate has contributed to the seriousness of the situation: as unemployment grows in numerous countries, many people see this as a low risk opportunity to earn money, though this does not detract from the fact that it is a crime", he added.

A coordinated DDoS attack from an unknown source temporarily knocked 4chan offline in the latest attack against the high-profile group. The 4chan forum helped to create and cultivate the Anonymous hacker group that has used DDoS attacks against numerous companies in recent months as part of Operation Payback.

4Chan’s site was down for more than 24 hours, but is back online after suffering its most damaging attack as of late. The site has continued to gain more notoriety as WikiLeaks remains in the headlines, and DDoS attacks aren’t uncommon against 4chan.

As part of Operation Payback, the Anonymous group attacked a number of websites of companies that were standing up against WikiLeaks.

Credit card companies such as Visa, MasterCard and PayPal cut direct ties with WikiLeaks, cutting off donations to the site. Anonymous then targeted the websites of these companies with coordinated DDoS attacks, causing many hours of downtime. Other groups and political figures were targeted for speaking out against file sharing and other reasons, with future attacks expected in the new year.

4Chan posted the following message on its status website regarding the attack: “Site is down due to DDoS. We now join the ranks of MasterCard, Visa, PayPal — an exclusive club!”

Site admins may have a jolly attitude regarding the DDoS downtime publicly, but it wouldn’t be surprising if Anonymous launches a retaliation effort later.

The attacks against 4Chan could be retaliation for the Anonymous attacks against PayPal, Amazon, Visa, MasterCard, and other targets as of late. It’s unknown who is behind the attacks, but it could be a rival hacker group tired of Anonymous and its continued high publicity attacks.

One hacker was accused of the 4chan attack, but he has immediately denied direct involvement with the matter. Until someone claims responsibility, 4chan will likely look to work on its own network defenses.